SNS 4.6.9 bug fixes

System

IPsec VPN

Support references 85095 - 85252

Firewalls on which the option Do not initiate the tunnel (Responder only) is enabled no longer wrongly generate phase 1 re-authentication requests.

Support reference 84821

In a configuration resembling the following on site A:

  • An initial IPsec tunnel to site B is defined in the IPsec policy,
  • A second tunnel to site C is based on a virtual IPsec interface (VTI),
  • A static route specifies the network to site C,
  • The network defined for site C's traffic endpoint overlaps with the network defined for site B's traffic endpoint.

Network traffic towards site C (VTI-based tunnel) will no longer be wrongly channeled through the tunnel to site B (tunnel defined in the IPsec policy).

Support reference 85284

Changes have been made to the mechanism that loads the IPSec management engine to prevent competing access to its configuration file. Such access would prevent the IPsec configuration from loading when the firewall started up.

Support reference 84856

In the IPsec configuration file, the presence of a string (e.g., certificate CN, certificate name, etc.) that may reference an obsolete encryption algorithm (e.g. des, blowfish, etc.) no longer blocks the firewall's firmware updates.

Support references 85179 - 84968

IPsec VPN tunnels with phase 2 (IPsec) encryption profiles that use Diffie-Hellman DH18 MODP (modp8192) groups such as Perfect Forward Secrecy (PFS), can now renegotiate their Security Association (SA) keys again. This regression, which shut down the IPsec tunnel, appeared in SNS version 4.2.

Configuration - IPsec

Support reference 84881

The presence of a rule separator in the IPSec VPN policy, combined with the presence of FQDN objects in the object database, no longer wrongly raises an error during requests to resolve FQDN objects.

Router objects

Support reference 84963

Updating to SNS version 4.6.9 (and upwards) firewalls that use router objects:

  • Created in versions earlier than SNS 4.3,
  • With names that contain the characters "+" (plus) or "^" (circumflex accent),

No longer prevents these router objects from functioning in the firewall's configuration.

Configuration – Network objects

Support reference 85274

Objects belonging to auto-generated groups (e.g., Network_internals) can now be correctly renamed. This operation no longer generates the system error "The object is included in one or several groups", and the new object name is correctly applied in all groups and configuration modules that use it. This regression appeared in SNS version 4.6.2.

GRETAP tunnels

When the IP address of an active GRETAP tunnel's endpoint is edited, the changes are now correctly applied.

Authentication - RADIUS

Support references 84484 - 84497

The default maximum response time for Radius requests can now be raised to 600 seconds. This value can be modified by using the CLI/Serverd command CONFIG.AUTH.RADIUS.

More information about the CLI/Serverd command CONFIG.AUTH.RADIUS.

Authentication – SSO Agent

Support reference 85052

In configurations that have simultaneously used several SSO agents, but in which the first agent in the list has since been deleted, the SSO Agent authentication engine now starts correctly when the authentication policy is reloaded.

SNMP Agent

Support references 84861 - 85133 - 85213 - 85232

Issues regarding the management of SNMP tables, which could cause the SNMP agent to shut down unexpectedly, have been fixed.

Monitoring - SN-S-Series and SN-M-Series firewalls

Support reference 85261

SN-S-Series and SN-M-Series firewalls in factory configuration that are equipped with a single power supply module out of two possible modules no longer wrongly generate a major alarm indicating that the second module is missing, unplugged or defective.

SSL VPN – TOTP

Support references 84966 - 84992

The use of customized certificates for the SSL VPN service and TOTP authentication with Stormshield SSL VPN clients no longer requires the client to enter a second TOTP at every connection.

Virtual machines

IPsec load balancing on CPUs

Support reference 85225

An issue regarding IPsec encryption load balancing on CPUs has been fixed on virtual EVA firewalls deployed on hypervisors that use the SR-IOV specification (Single Root I/O Virtualization).

Reminder: IPsec encryption load balancing can be configured using the CLI/Serverd command CONFIG IPSEC CRYPTOLB UPDATE.

More information about the CLI/Serverd command CONFIG IPSEC CRYPTOLB UPDATE.

Intrusion prevention engine

TCP protocol

Support references 84807 - 84515

In some cases, when an RST packet is received when a connection is closing, the connection could be left half-closed. This would prevent attempts to connect to the same IP address and over the same port, and would raise the alarm 'Invalid TCP packet for current connection state' (alarm tcpudp:97) until the timeout of the half-closed connection is reached. This issue has been fixed.

OPC-UA protocol

Support reference 85275

The OPC-UA protocol's analysis engine is now based on the protocol's 1.0.5 specification. This specification makes it possible to stop wrongly blocking ReverseHello messages, as this would disrupt OPC-UA connections in progress.

Web administration interface

Monitoring - Logs

Support reference 85279

Refreshing log display with the Last hour filter enabled no longer causes a growing lag between the time on displayed logs and the actual time on the firewall.

OPC-DA protocol

Support reference 85129

The entry OPC-DA 3.0 Type Lib no longer appears wrongly and repeatedly in the list of OPC-DA operations to analyze.

Dashboard - Advanced antivirus

Support reference 85281

In a configuration such as the following:

  • The antivirus is enabled,
  • No rules in the active filter policy involve the antivirus.

The firewall's Dashboard no longer wrongly indicates a critical status for the antivirus.